SpankChain Hacker Returns Stolen Ethereum, Earns $9,000 Reward

The hacker who stole nearly $40,000 in ethereum from adult entertainment startup SpankChain has returned the stolen cryptocurrency, the company announced last night.

According to messages posted on the company’s official Twitter account, SpankChain CEO Ameen Soleimani reached an agreement with the anonymous hacker after speaking to them on the phone.

Following that conversation, the hacker provided SpankChain with the private key to an address holding the stolen funds and then further helped the company retrieve a few thousand dollars’ worth of funds that had been immobilized during the attack.

Update on our recent hack: @ameensol spoke with the attacker on the phone, and they sent us the private key with all the funds. We sent them back $5,000 as a reward along with the 5.5 ETH they used as seed capital for the attack.

Congratulations, anonymous haxor!

— SpankChain (@SpankChain) October 11, 2018

Operation "Save My Ass" is a success. The stuck BOOTY has been recovered. https://t.co/OpuHPWDXl5

— 👹 Ameen Soleimani (@ameensol) October 12, 2018

In return, SpankChain sent the hacker $5,000 as a bounty reward, purchased the formerly-frozen tokens back from them for $4,000, and returned the 5.5 ETH the hacker had used when launching the attack in the first place.

As CCN reported, the hack occurred last Saturday when the attacker successfully exploited a “reentrancy” bug in one of SpankChain’s smart contracts. The bug, similar to the one that led to the infamous downfall of The DAO, allowed the attacker to trick the SpankChain contract into allowing them to withdraw funds, even after the attacker’s payment channel balance had gone below zero.

The hacker originally made off with $38,000 in ethereum, and the attack immobilized a further $4,000 worth of SpankChain’s initial coin offering (ICO) token, BOOTY. Most of those funds belonged to the company, who had planned a $9,300 airdrop to compensate users for their losses.

Instead, the company paid out about $9,000 to the hacker, still far less than the $50,000 the company said that it would have cost to audit the smart contract prior to its deployment on the mainnet. However, the company has acknowledged in retrospect that the peripheral costs associated with foregoing that audit far exceeded the savings.

But while this specific incident was resolved remarkably amicably, computer scientist Emin Gün Sirer‏ has warned that many Ethereum smart contracts remain vulnerable to reentrancy attacks. Subsequent hacks may not have quite such a happy ending.